Re: What email encryption is actually in use?
"Prior to that, the encrypted email I've sent in the past year or so has almost always failed, because of version incompatibilities," While in Telecom I was auditing optical transport gear, and we adopted the practice of encrypting all of our audit reports to vendors. Of course, the chance of there being an eavesdropper (uh...other than NSA, that is) was a plank energy above zero, but it gave the vendors the imporession we really cared a lot about their intellectual property (if we determined a problem with their equipment, and if that info ever leaked, it could have a major impact on them). That the mesages were decrypted I know for sure, and it was easy for the customers: we would verbally tell them the password for unpacking the encrypted file, and they merely typed it in a it extracted itself. I think the encryption tool was installed directly into the file manager (or whatever it's called now), so it was easy to do.
From: Steve Furlong <sfurlong@acmenet.net> To: cypherpunks@lne.com Subject: Re: What email encryption is actually in use? Date: Sat, 2 Nov 2002 12:41:55 -0500
On Saturday 02 November 2002 12:09, Adam Shostack wrote:
An interesting tidbit in the September Information Security Bulletin is the claim from MessageLabs that only .005% of the mail they saw in 2002 is encrypted, up from .003% in 2000.
... Last month, about 5% of my email was sent PGP encrypted, about 2% STARTTLS encrypted, and about 25% SSH encrypted to people on the same mail server, where POP and IMAP only function via SSH.
I'd be interested to hear how often email content is protected by any form of crypto, including IPsec, Starttls, ssh delivery, or PGP or SMIME. There's probably an interesting paper in going out and looking at this.
Well, here's a datum for you: in the past four or five months, I have sent exactly no encrypted email. There are several reasons, notably that most of my email correspondents are business types who can't handle encryption even after several lessons and checklists and even when the tools are integrated into the MUA.
Prior to that, the encrypted email I've sent in the past year or so has almost always failed, because of version incompatibilities, human error, changes of email address, and what-not. Or because the recipient simply isn't bothering to decrypt mail any more because it's more trouble than it's worth for the low quality of information conveyed.
The only business environment I've ever worked in which successfully used encrypted email mandated specific versions of mail client (Outlook, ecch) and PGP (integrated into Outlook), had a jackbooted thug to make sure everyone's keyring was up to date, and had a fairly small (couple dozen), mostly technically proficient, user base. And even there, half the time the encrypted message wasn't sensitive enough to be worth encrypting nor important enough to be worth decrypting.
I have signed a few messages in the recent past, but that was probably even less worthwhile than encrypting them. For all I know, not a single one has been verified.
-- Steve Furlong Computer Condottiere Have GNU, Will Travel
Vote Idiotarian --- it's easier than thinking
_________________________________________________________________ Unlimited Internet access for only $21.95/month. Try MSN! http://resourcecenter.msn.com/access/plans/2monthsfree.asp
On Saturday, November 2, 2002, at 08:01 PM, Tyler Durden wrote:
"Prior to that, the encrypted email I've sent in the past year or so has almost always failed, because of version incompatibilities,"
While in Telecom I was auditing optical transport gear, and we adopted the practice of encrypting all of our audit reports to vendors. Of course, the chance of there being an eavesdropper (uh...other than NSA, that is) was a plank energy above zero, but it gave the vendors the imporession we really cared a lot about their intellectual property (if we determined a problem with their equipment, and if that info ever leaked, it could have a major impact on them).
When I was at Intel we sent our designs for microprocessors to European branches and/or partners. One set of designs sent to MATRA/Harris, a partner in the 80C86, was stolen in transit. (The box of tapes arrived in Paris, but the tapes had been replaced by the suitable weight of bricks.) The moral: 99.9999x % of traffic is of little interest to thieves or eavesdroppers. But some fraction is. And it often isn't appreciated until after a theft or eavesdrop in which category the traffic lies. (Equivalent to people not thinking about backups until it's too late.) Having said this, I, too, rarely encrypt. It should get easier, now that PGP 8 is well-integrated into the Mail program I use in OS X. (Years ago PGP stopped working in my mailer, and I had to encrypt and decrypt manually.) It is odd that we mostly think crypto should be easy and painless. The military, with a real need for crypto, has full-time code clerks on ships and at bases, even out on the battlefield. And they have "code shacks" and "cipher rooms" and all sorts of procedure and rigamarole about envelopes, couriers, locks on doors, combo locks on safes, need to know, etc. PK crypto has made a lot of things a lot easier, but expecting it all to work with a click of a button is naive. Of course, most of us don't actually have secrets which make protocols and efforts justifiable. There's the rub. --Tim May
participants (2)
-
Tim May -
Tyler Durden